Skip to Content.
Sympa Menu

geteduroam - Re: Setting up a CA

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: Setting up a CA


Chronological Thread 
  • From: Wenche Backman-Kamila <wenche.backman-kamila AT csc.fi>
  • To: Paul Dekkers <paul.dekkers AT surf.nl>
  • Cc: geteduroam <geteduroam AT lists.geant.org>
  • Subject: Re: Setting up a CA
  • Date: Fri, 28 May 2021 13:28:03 +0300 (EEST)

Hi,

Thanks for this. The problem with the OT pilot is that the institution looses so much control, it does not know how many certs are generated and to whom. And revocation is scary.

What we need would be a geteduroam server for Finland in this case. With a CA per institution. How did you set up the one for the Netherlands, Paul?

Regards,

Wenche


From: "geteduroam" <geteduroam AT lists.geant.org>
To: "Wenche Backman-Kamila" <wenche.backman-kamila AT csc.fi>
Cc: "geteduroam" <geteduroam AT lists.geant.org>
Sent: Friday, 28 May, 2021 11:44:21
Subject: Re: Setting up a CA

Hi,

On 27/05/2021 14:11, Wenche Backman-Kamila wrote:
1274327619.4463764.1622117489490.JavaMail.zimbra AT csc.fi">
Hi,

geteduroam is generating interest in Finland and in order to get it right from the beginning I have a few questions:

- Would you recommend that we set up one CA for the country or that each member (Univeristy) set up their own CA?

This is a bit of an "everything is possible" answer:

I think the portal can easily be centralized and connected to in your case Haka. And also EAP-TLS is kind of convenient to offer centralized, it can be distributed easily and does not require lookups in directories. So that's I think why this is done centralized so far. You could mix it, and offer the institutions to do the EAP-TLS validation locally, or institutions could indeed do the entire thing themselves if they're up for that. You don't really need NRO involvement in that case, and in a way they're "on their own". They also need to do SAML for their own authentication, which may be less trivial to them than for instance connect to Haka.

I myself noticed most interest in doing it centrally from the NRO. (Even in that scenario each institution has their own domain, realm, and their own CA with that BTW; that's at least how the reference implementation works.)

Did you consider using the OT (pilot) service in eduGAIN for more institutions? You could easily migrate even from one instance to another, as that's just a pointer in CAT for new institutions also. The intention is to make it scale well for these kind of scenarios too. (And if this becomes popular, give NROs the right controls.)

1274327619.4463764.1622117489490.JavaMail.zimbra AT csc.fi">

- Could you point to some kind of documentation to get this started?

I guess that's https://github.com/geteduroam/letswifi-ca

Regards,

Paul






Archive powered by MHonArc 2.6.19.

Top of Page